Re: ESP or SSL Only ??? Thinking of going SSL Only...

Jickfoo_ · ‎03-18-2010

Just saw a post that got me thinking.

Over the years I've seen many issues with the transport protocol failing over from ESP to SSL. Often times it wouldn't work and give the dreaded "Reconnecting" messages.

Who has gone SSL only ? Has it been good for you ? Any complaints about performance ? Would you recommend ?

Thanks,

Justin

rdit_ · ‎03-19-2010

i had it running over SSL for 2 years and havent had any problems. the performance makes no difference in my opinion. i've configured ESP now, which works great aswell, but i cant say that its appreciably faster.

which reconnecting message do you mean? if its not able to connect via udp/4500 it starts immediatly the SSL session. i havent seen any reconnecting messages then?

Jickfoo_ · ‎03-19-2010

Why did you switch to ESP ?

I think ESP Is prone to more connectivity issues. I would often see messages in the logs of the traffic failing over to SSL.

Thanks,
Justin

Mrkool_ · ‎03-19-2010

well one thing you might want to keep in mind that SSL does put more load on the box vs ESP now i did run into an issue where users failing over from ESP to SSL was causing our CPU to spike but that was couple of builds ago

rcallanan_ · ‎03-19-2010

@jickfoo wrote:
Why did you switch to ESP ?
I think ESP Is prone to more connectivity issues. I would often see messages in the logs of the traffic failing over to SSL.
Thanks,
Justin

Of course you're going to see messages in the logs about traffic failing over to SSL. Anywhere that UDP 4500 isn't open out of the network - i.e. many hotels, conference centers, customer/vendor sites, etc.

We did notice a significant improvement in speed and reduced load on our SA6500's when we implemented ESP. Specifically, file transfers and NetBIOS traffic saw the biggest improvement.

unns_ · ‎03-22-2010

Yes ESP is set for performance and SSL for compatibility

There were bugs in certain releases which caused instability e.g. 6.0R1, 6.0R2, 6.0R3.x, 6.0R4.0, 6.0R4.1
Release 5.x is not affected.

http://kb.pulsesecure.net/index?page=content&id=KB11990&actp=search&searchid=1269298497320

http://kb.pulsesecure.net/index?page=content&id=KB8569&actp=search&searchid=1269298497320

http://kb.pulsesecure.net/index?page=content&id=KB3116&actp=search&searchid=1269298497320

Hope this helps

chaminda_ · ‎03-22-2010

Network Connect starts by using SSL/NCP with the intention of using ESP as the transport mode. If the ESP mode is not established within the fallback timeout, then it continues to use the SSL/NCP mode. When the fall back occurs it uses the existing SSL session and does not renegotiate the SSL session.

A firewall will see two connections per user when using ESP. One for the Control Channel on port 443 (SSL) and one for the Data Channel on port 4500 (Default for ESP). When using SSL/NCP both the Control and Data Channel use SSL..

rvi_ · ‎03-23-2010

SSLtransport mode will provide relaibility but performance will take a hit.

You need to see why/where/if the ESP/UDP packets are dropped between the NC/ESP client AND NC/ESP server.

Mazhar_ · ‎05-28-2010

Hi

Mazhar_ · ‎05-28-2010

Hi,

Does it mean I have to have port 443 translated to the SA device from the firewall even if I am using ESP mode. I actually have another device listening for port 443, so I have to use another port. now as per the documentation, NC can work on UDP 4500 but looking at your response it seems like port 443 is not completed eliminated even after using UDP. Please clarify/help.

Regards

Mazhar Rafi